A condition specifies the requirements that must be met for a policy to take effect. You can set condition keys in key policies, secret policies, and custom policies of RAM to control access to KMS. This topic describes the common Alibaba Cloud condition keys and the product-specific condition keys that KMS supports.
The Principal field in the examples is required for key policies and secret policies. This field is not required for RAM custom policies.
Common Alibaba Cloud condition keys
acs:SourceIp
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
acs:SourceIp | The public IP address of the client that sends the request. | String | All KMS OpenAPI operations. For a list of operations, see API overview. | An IP address. Examples:
|
|
RAM policy example
This policy allows the GenerateDataKey operation to be performed only if the request is sent from an IP address in the 116.62.XX.XX/24 address range.
{
"Statement": [
{
"Action": "kms:GenerateDataKey",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": "116.62.XX.XX/24"
}
}
}
],
"Version": "1"
}Key or secret policy example
This policy allows only the RAM user ramuser1 to send requests from the IP address 203.0.XX.XX.
{
"Version":"1",
"Statement":[
{
"Sid":"kms policy",
"Effect":"Allow",
"Action":"kms:*",
"Principal":{
"RAM":[
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource":"*",
"Condition":{
"IpAddress":{
"acs:SourceIp":[
"203.0.XX.XX"
]
}
}
}
]
}acs:SourceVpc
Condition key | Description | Conditional operator type | API operation | Value | Policy type |
acs:SourceVpc | The VPC to which the client that sends the request belongs. This condition key is valid only if the request is sent from an Alibaba Cloud VPC. | String | All KMS OpenAPI operations. For a list of operations, see API overview. | The ID of a VPC. Example: vpc-bp1717bgs34gj****. |
|
Limits:
All Action elements in the
Statementfield of a policy must start withkms:. For example,"Action":"kms:*"and"Action":"kms:GenerateDataKey"are valid, but"Action":"*"and"Action":"k*"are invalid.This condition key is supported only in specific regions.
Key or secret policy example: This policy allows only the RAM user ramuser1 to send requests from vpc-bp1l8j1t3l3j5****.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:SourceVpc": [
"vpc-bp1l8j1t3l3j5****"
]
}
}
}
]
}acs:VpcSourceIp
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
acs:VpcSourceIp | The IP address of the client that sends the request. This condition key is valid only if the request is sent from an Alibaba Cloud VPC. | String | All KMS OpenAPI operations. For a list of operations, see API overview. | An IP address in a VPC. Examples:
|
|
Limit: This condition key is supported only in specific regions.
RAM policy example
This policy allows requests only from the 172.168.XX.XX/24 address range in vpc-bp1717bghfnkqg5wn****.
{
"Statement": [
{
"Action": "kms:GenerateDataKey",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:SourceVpc": "vpc-bp1717bghfnkqg5wn****"
},
"IpAddress": {
"acs:VpcSourceIp": "172.168.**.**/24"
}
}
}
],
"Version": "1"
}Key or secret policy example
This policy allows only the RAM user ramuser1 to send requests from the VPC IP address 192.168.XX.XX.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:VpcSourceIp": [
"192.168.XX.XX"
]
}
}
}
]
}acs:SecureTransport
Condition key | Description | Conditional operator type | API operation | Valid values | Policy type |
acs:SecureTransport | Indicates whether the request is sent over a secure channel (HTTPS). | Boolean | All KMS OpenAPI operations. For a list of operations, see API overview. |
|
|
RAM policy example
This policy allows users to perform any operation on all KMS resources, provided that the request is sent over HTTPS.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:*",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
]
}Key or secret policy example
This policy allows only the RAM user ramuser1 to send requests over an HTTPS secure channel.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
]
}acs:CurrentTime
Condition key | Description | Conditional operator type | API operation | Value | Policy type |
acs:CurrentTime | The time when the server receives the request. | Date and time | All KMS OpenAPI operations. For a list of operations, see API overview. | The time is in UTC and must follow the ISO 8601 standard. For example, 20:00:00 on January 10, 2024 (UTC+8) is represented as |
|
Key or secret policy example: This policy allows only the RAM user ramuser1 to send requests before 2099-12-31T12:00:00Z.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"DateLessThan": {
"acs:CurrentTime": "2099-12-31T12:00:00Z"
}
}
}
]
}acs:MFAPresent
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
acs:MFAPresent | Indicates whether multi-factor authentication (MFA) is used for logon. | Boolean | All KMS OpenAPI operations. For a list of operations, see API overview. |
|
|
Key or secret policy example: This policy allows only the RAM user ramuser1 for whom multi-factor authentication (MFA) is enabled to send requests.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": [
"true"
]
}
}
}
]
}KMS product condition keys (key-related)
kms:tag
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
kms:tag | Filters access to API operations based on key tags. | String |
| A custom key tag. |
|
kms:EncryptionAlgorithm
Condition key | Description | Conditional operator type | API operation | Value | Policy type |
kms:EncryptionAlgorithm | Filters access to cryptographic operations based on the value of the encryption algorithm in the request. | String |
| The encryption algorithm, such as SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_256, or ECIES_DH_SHA_1_XOR_HMAC. For more information about the encryption algorithms that KMS supports, see Key types and specifications. |
|
For example, this policy allows the RAM user key_ramuser1 to perform encryption, decryption, or re-encryption operations only using the RSAES_OAEP_SHA_256 algorithm. This improves the security and compliance of key usage by ensuring that only specified encryption algorithms are used. It also prevents the use of non-compliant or insecure algorithms.
{
"Sid": "Allow only one encryption algorithm with this asymmetric KMS key",
"Effect": "Deny",
"Principal": {
"RAM": [
"acs:ram::119285303511****:user/key_ramuser1"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"kms:EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}
}
}kms:EncryptionContext:${EncryptionContextKey}
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
kms:EncryptionContext:${EncryptionContextKey} | Filters access to KMS symmetric keys based on the encryption context in cryptographic operations. This condition evaluates the key and value in each key-value pair of the encryption context. | String |
| The EncryptionContext that you set. |
|
For example, this policy allows all RAM users that belong to the Alibaba Cloud account 119285303511**** to perform the kms:GenerateDataKey operation when the value of Project in the kms:EncryptionContext is ProjectA.
{
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:Project": "ProjectA"
}
}
}kms:EncryptionContextKeys
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
kms:EncryptionContextKeys | Filters access to KMS symmetric keys based on the encryption context in cryptographic operations. This condition evaluates only the keys in the key-value pairs of the encryption context. | String array |
| The keys in the key-value pairs of the EncryptionContext that you set. | Key policies |
For example, this policy allows all RAM users that belong to the Alibaba Cloud account 119285303511**** to perform the kms:GenerateDataKey operation when the key Project is included in the encryption context (EncryptionContext).
{
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContextKeys": "Project"
}
}
}kms:ExpirationModel
Condition key | Description | Conditional operator type | API operation | Value | Policy type |
kms:ExpirationModel | Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request. | String | ImportKeyMaterial |
|
|
For example, this policy allows all RAM users that belong to the Alibaba Cloud account 119285303511**** to perform the kms:ImportKeyMaterial operation only if the expiration model of the key material is KEY_MATERIAL_DOES_NOT_EXPIRE.
{
"Effect": "Allow",
"Principal": {
"RAM": "acs:ram::119285303511****:*"
},
"Action": "kms:ImportKeyMaterial",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ExpirationModel": "KEY_MATERIAL_DOES_NOT_EXPIRE"
}
}
}kms:ValidTo
Condition key | Description | Conditional operator type | API operation | Value | Policy type |
kms:ValidTo | Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only if it expires on a specified date. | Date | ImportKeyMaterial | UNIX timestamp format |
|
For example, this policy allows all RAM users that belong to the Alibaba Cloud account 119285303511**** to import key material only before June 20, 2024.
{
"Effect": "Allow",
"Principal": {
"RAM": "acs:ram::119285303511****:*"
},
"Action": "kms:ImportKeyMaterial",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:ValidTo": "1718841600"
}
}
}kms:KeyOrigin
Condition key | Description | Conditional operator type | API operation | Valid values | Policy type |
kms:KeyOrigin | Filters access to API operations based on the Origin property of the KMS key that is created or used in the operation. Use this condition to limit permissions for the CreateKey operation or any operation that grants permissions on KMS key resources. | String | All key-related OpenAPI operations. For a list of operations, see API overview. |
|
|
kms:KeySpec
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
kms:KeySpec | Filters access to API operations based on the KeySpec property of the KMS key that is created or used in the operation. | String | All key-related OpenAPI operations. For a list of operations, see API overview. | The key specification, such as Aliyun_AES_256 or RSA_2048. For more information about the key specifications that KMS supports, see Key types and specifications. |
|
For example, this policy allows all RAM users and RAM roles that belong to the Alibaba Cloud account 119285303511**** to perform the kms:CreateKey operation, but only to create RSA keys.
{
"Effect": "Allow",
"Action": "kms:CreateKey",
"Principal": {
"RAM": "acs:ram::119285303511****:*"
},
"Resource": "*",
"Condition": {
"StringLike": {
"kms:KeySpec": "RSA_*"
}
}
}kms:KeyUsage
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
kms:KeyUsage | Filters access to API operations based on the KeyUsage property of the KMS key that is created or used in the operation. | String | All key-related OpenAPI operations. For a list of operations, see API overview. |
|
|
For example, this policy allows the kms:CreateKey operation to be performed, but only to create keys for the purpose of ENCRYPT_DECRYPT.
{
"Effect": "Allow",
"Action": "kms:CreateKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KeyUsage": "ENCRYPT_DECRYPT"
}
}
}kms:ScheduleKeyDeletionPendingWindowInDays
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
kms:ScheduleKeyDeletionPendingWindowInDays | Filters access to the ScheduleKeyDeletion operation based on the value of the PendingWindowInDays parameter in the request. | Number | ScheduleKeyDeletion | The scheduled deletion period of a key, in days. |
|
For example, this policy denies all users and roles from performing the kms:ScheduleKeyDeletion operation if the scheduled deletion period is less than or equal to 21 days.
{
"Effect": "Deny",
"Action": "kms:ScheduleKeyDeletion",
"Principal": "*",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:ScheduleKeyDeletionPendingWindowInDays": "21"
}
}
}kms:SigningAlgorithm
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
kms:SigningAlgorithm | Filters access to the Sign and Verify operations based on the signature algorithm in the request. | String |
| The signature algorithm, such as RSA_PSS_SHA_256 or ECDSA_SHA_256. For a list of supported signature algorithms, see Key types and specifications. |
|
kms:WrappingAlgorithm
Condition key | Description | Conditional operator type | API operation | Valid values | Policy type |
kms:WrappingAlgorithm | Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request. | String | GetParametersForImport | The wrapping algorithm. For more information about the wrapping algorithms that KMS supports, see Import key material for a symmetric key and Import key material for an asymmetric key. |
|
kms:WrappingKeySpec
Condition key | Description | Conditional operator type | API operation | Valid range | Policy type |
kms:WrappingKeySpec | Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request. | String | GetParametersForImport | The type of the wrapping public key. For more information about the wrapping public key types that KMS supports, see Import key material for a symmetric key and Import key material for an asymmetric key. |
|
kms:KmsInstanceId
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
kms:KmsInstanceId | Controls access permissions based on the ID of the KMS instance associated with the access request. | String | Cryptographic operations:
Management operations:
Tagging operations:
| Instance ID |
|
Examples:
Custom RAM policy
{
"Effect": "Allow",
"Action": "kms:CreateKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KmsInstanceId": "kst-**"
}
}
}Key policy
{
"Effect": "Allow",
"Principal": {
"RAM": "acs:ram::119285303511****:*"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KmsInstanceId": "kst-**"
}
}
}KMS product condition keys (secret-related)
kms:tag
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
kms:tag | Filters access to API operations based on secret tags. | String |
| A custom secret tag. |
|
kms:SecretName
Condition key | Description | Conditional operator type | API operation | Value | Policy type |
kms:SecretName | Filters access to API operations based on the value of the SecretName parameter in the request. | String | All secret-related OpenAPI operations. For a list of operations, see API overview. | A custom secret name. |
|
kms:EncryptionKeyId
Condition key | Description | Conditional operator type | API operation | Valid values | Policy type |
kms:EncryptionKeyId | Filters access to API operations based on the ID of the encryption key in the secret access request. | String |
| Key ID. |
|
kms:SecretVersionId
Condition key | Description | Conditional operator type | API operation | Valid values | Policy type |
kms:SecretVersionId | Filters access to API operations based on the unique identifier of the secret version in the request. | String |
| The version number of the secret. |
|
kms:SecretVersionStage
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
kms:SecretVersionStage | Filters access to API operations based on the list of secret version stages in the request. | String |
|
|
|
kms:SecretType
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
kms:SecretType | Filters access to API operations based on the secret type in the request. | String | All secret-related OpenAPI operations. For a list of operations, see API overview. |
|
|
kms:ForceDeleteWithoutRecovery
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
kms:ForceDeleteWithoutRecovery | Specifies whether to force delete the secret. A force-deleted secret cannot be recovered. | Boolean value | DeleteSecret |
|
|
kms:RecoveryWindowInDays
Condition key | Description | Conditional operator type | API operation | Value | Policy type |
kms:RecoveryWindowInDays | Deletes a secret in a recoverable way and specifies the recovery window in days. | Number | DeleteSecret | Number of days. |
|
For example, this policy denies all users and roles from performing the kms:DeleteSecret operation if the specified recovery window is less than or equal to 10 days.
{
"Statement": [
{
"Effect": "Deny",
"Action": "kms:DeleteSecret",
"Principal": "*",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:RecoveryWindowInDays": "10"
}
}
}
]
}
kms:KmsInstanceId
Condition key | Description | Conditional operator type | API operation | Value range | Policy type |
kms:KmsInstanceId | Controls access permissions based on the ID of the KMS instance associated with the access request. | String |
| Instance ID |
|
Examples:
Custom RAM policy
{
"Effect": "Allow",
"Action": "kms:CreateSecret",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KmsInstanceId": "kst-**"
}
}
}Key policy
{
"Effect": "Allow",
"Principal": {
"RAM": "acs:ram::119285303511****:*"
},
"Action": "kms:CreateSecret",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KmsInstanceId": "kst-**"
}
}
}Other KMS product condition keys
kms:TlsVersion
Condition key | Description | Conditional operator type | API operation | Valid values | Policy type |
kms:TlsVersion | Filters access to API operations based on the TLS version in the request. | String | All OpenAPI operations that require authentication. Note Operations that do not require authentication, such as DescribeRegions. | 1.2 |
|
For example, this policy denies any operation on the specified key if the Transport Layer Security (TLS) version in the request is earlier than 1.2.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "kms:*",
"Resource": "acs:kms:*:*:key/key-hzz653f1f8fybn5qa****",
"Condition": {
"NumericLessThan": {
"kms:TlsVersion": [
"1.2"
]
}
}
}
]
}Appendix 1: Conditional operator types
Conditional operators can be classified into the following categories: string, number, date and time, Boolean, and IP address.
Conditional operator type | Supported operators |
String |
|
Number |
|
Date and time |
|
Boolean | Bool |
IP address |
|